package edu.internet2.middleware.shibboleth.idp.profile.saml1;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.ArtifactResolutionConfiguration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.common.binding.artifact.SAMLArtifactMap;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml1.binding.SAML1ArtifactMessageContext;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.AssertionArtifact;
import org.opensaml.saml1.core.NameIdentifier;
import org.opensaml.saml1.core.Request;
import org.opensaml.saml1.core.Response;
import org.opensaml.saml1.core.StatusCode;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.xml.security.SecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution.class */
public class ArtifactResolution extends AbstractSAML1ProfileHandler {
    private final Logger log = LoggerFactory.getLogger(ArtifactResolution.class);
    private SAMLObjectBuilder<Response> responseBuilder = getBuilderFactory().getBuilder(Response.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder = getBuilderFactory().getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
    private SAMLArtifactMap artifactMap;

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution$ArtifactResolutionRequestContext.class */
    public class ArtifactResolutionRequestContext extends BaseSAML1ProfileRequestContext<Request, Response, ArtifactResolutionConfiguration> implements SAML1ArtifactMessageContext<Request, Response, NameIdentifier> {
        private Collection<String> artifacts;
        private Collection<Assertion> referencedAssertions;

        public ArtifactResolutionRequestContext() {
        }

        public Collection<String> getArtifacts() {
            return this.artifacts;
        }

        public void setArtifacts(Collection<String> collection) {
            this.artifacts = collection;
        }

        public Collection<Assertion> getDereferencedAssertions() {
            return this.referencedAssertions;
        }

        public void setDereferencedAssertions(Collection<Assertion> collection) {
            this.referencedAssertions = collection;
        }
    }

    public ArtifactResolution(SAMLArtifactMap sAMLArtifactMap) {
        this.artifactMap = sAMLArtifactMap;
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml1:query:artifact";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        Response buildErrorResponse;
        ArtifactResolutionRequestContext artifactResolutionRequestContext = new ArtifactResolutionRequestContext();
        decodeRequest(artifactResolutionRequestContext, hTTPInTransport, hTTPOutTransport);
        try {
        } catch (ProfileException e) {
            buildErrorResponse = buildErrorResponse(artifactResolutionRequestContext);
        }
        if (artifactResolutionRequestContext.getProfileConfiguration() == null) {
            String str = "SAML 1 Artifact resolution profile is not configured for relying party " + artifactResolutionRequestContext.getInboundMessageIssuer();
            artifactResolutionRequestContext.setFailureStatus(buildStatus(StatusCode.SUCCESS, StatusCode.REQUEST_DENIED, str));
            this.log.warn(str);
            throw new ProfileException(str);
        }
        checkSamlVersion(artifactResolutionRequestContext);
        derferenceArtifacts(artifactResolutionRequestContext);
        buildErrorResponse = buildArtifactResponse(artifactResolutionRequestContext);
        artifactResolutionRequestContext.setOutboundSAMLMessage(buildErrorResponse);
        artifactResolutionRequestContext.setOutboundSAMLMessageId(buildErrorResponse.getID());
        artifactResolutionRequestContext.setOutboundSAMLMessageIssueInstant(buildErrorResponse.getIssueInstant());
        encodeResponse(artifactResolutionRequestContext);
        writeAuditLogEntry(artifactResolutionRequestContext);
    }

    protected void decodeRequest(ArtifactResolutionRequestContext artifactResolutionRequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Decoding message with decoder binding '{}'", getInboundMessageDecoder(artifactResolutionRequestContext).getBindingURI());
        }
        artifactResolutionRequestContext.setCommunicationProfileId(getProfileId());
        artifactResolutionRequestContext.setMetadataProvider(getMetadataProvider());
        artifactResolutionRequestContext.setInboundMessageTransport(hTTPInTransport);
        artifactResolutionRequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:1.1:protocol");
        artifactResolutionRequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        artifactResolutionRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        artifactResolutionRequestContext.setOutboundMessageTransport(hTTPOutTransport);
        artifactResolutionRequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:1.1:protocol");
        try {
            try {
                SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(artifactResolutionRequestContext);
                artifactResolutionRequestContext.setMessageDecoder(inboundMessageDecoder);
                inboundMessageDecoder.decode(artifactResolutionRequestContext);
                this.log.debug("Decoded artifact resolution request from relying party '{}'", artifactResolutionRequestContext.getInboundMessageIssuer());
            } catch (MessageDecodingException e) {
                artifactResolutionRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding artifact resolve message"));
                this.log.warn("Error decoding artifact resolve message", e);
                throw new ProfileException("Error decoding artifact resolve message", e);
            } catch (SecurityException e2) {
                artifactResolutionRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "Message did not meet security requirements"));
                this.log.warn("Message did not meet security requirements", e2);
                throw new ProfileException("Message did not meet security requirements", e2);
            }
        } finally {
            populateRequestContext(artifactResolutionRequestContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getAttributeAuthorityDescriptor("urn:oasis:names:tc:SAML:1.1:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        Endpoint selectEndpoint;
        if (getInboundBinding().equals("urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding")) {
            selectEndpoint = (Endpoint) this.acsEndpointBuilder.buildObject();
            selectEndpoint.setBinding("urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding");
        } else {
            BasicEndpointSelector basicEndpointSelector = new BasicEndpointSelector();
            basicEndpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            basicEndpointSelector.setMetadataProvider(getMetadataProvider());
            basicEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            basicEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            basicEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            basicEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            selectEndpoint = basicEndpointSelector.selectEndpoint();
        }
        return selectEndpoint;
    }

    protected void derferenceArtifacts(ArtifactResolutionRequestContext artifactResolutionRequestContext) throws ProfileException {
        List<AssertionArtifact> assertionArtifacts = ((Request) artifactResolutionRequestContext.getInboundSAMLMessage()).getAssertionArtifacts();
        if (assertionArtifacts == null || assertionArtifacts.size() == 0) {
            artifactResolutionRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED, "No AssertionArtifacts available in request"));
            String str = "No AssertionArtifacts available in request from relying party " + artifactResolutionRequestContext.getInboundMessageIssuer();
            this.log.warn(str);
            throw new ProfileException(str);
        }
        ArrayList arrayList = new ArrayList();
        for (AssertionArtifact assertionArtifact : assertionArtifacts) {
            SAMLArtifactMap.SAMLArtifactMapEntry sAMLArtifactMapEntry = this.artifactMap.get(assertionArtifact.getAssertionArtifact());
            if (sAMLArtifactMapEntry == null || sAMLArtifactMapEntry.isExpired()) {
                this.log.warn("Unknown AssertionArtifact '{}' from relying party '{}'", assertionArtifact.getAssertionArtifact(), artifactResolutionRequestContext.getInboundMessageIssuer());
            } else if (sAMLArtifactMapEntry.getIssuerId().equals(artifactResolutionRequestContext.getLocalEntityId())) {
                this.artifactMap.remove(assertionArtifact.getAssertionArtifact());
                arrayList.add(sAMLArtifactMapEntry.getSamlMessage());
            } else {
                this.log.warn("Artifact issuer mismatch.  Artifact issued by '{}' but IdP has entity ID of '{}'", sAMLArtifactMapEntry.getIssuerId(), artifactResolutionRequestContext.getLocalEntityId());
            }
        }
        artifactResolutionRequestContext.setDereferencedAssertions(arrayList);
    }

    protected Response buildArtifactResponse(ArtifactResolutionRequestContext artifactResolutionRequestContext) {
        DateTime dateTime = new DateTime();
        Response buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(dateTime);
        populateStatusResponse(artifactResolutionRequestContext, buildObject);
        if (artifactResolutionRequestContext.getDereferencedAssertions() != null) {
            buildObject.getAssertions().addAll(artifactResolutionRequestContext.getDereferencedAssertions());
        }
        buildObject.setStatus(buildStatus(StatusCode.SUCCESS, null, null));
        return buildObject;
    }
}
